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Introduction 


"Non -monotonic"  logical  systems  are  logics  in  which  the  introduction  of  new 
axioms  can  invalidate  old  theorems.  Such  logics  are  very  important  in  modeling  the 
beliefs  of  active  processes  which,  acting  in  the  presence  of  incomplete  information,  must 
make  and  subsequently  revise  predictions  in  light  of  new  observations.  We  present  the 
motivation  and  history  of  such  logics.  We  develop  model  and  proof  theories,  a proof 
procedure,  and  applications  for  one  important  non -monotonic  logic.  In  particular,  we 
prove  the  completeness  of  the  non-monotonic  predicate  calculus  and  the  decidability  of  the 
non-monotonic  sentential  calculus.  We  also  discuss  characteristic  properties  of  this  logic 
and  its  relationship  to  stronger  logics,  logics  of  incomplete  information,  and  truth 
maintenance  systems. 


The  Problem  of  Incomplete  Knowledge 

The  relation  between  formal  logic  and  the  operation  of  the  mind  has  always 
been  unclear.  Some  of  the  more  striking  differences  between  properties  of  formal  logics 
and  mental  phenomenology  occur  in  situations  dealing  with  perception,  ambiguity, 
common-sense,  causality  and  prediction.  One  common  feature  of  these  problems  is  that 
they  seem  to  involve  working  with  incomplete  knowledge.  Perception  must  account  for  the 
noticing  of  overlooked  features,  common -sense  ignores  myriad  special  exceptions,  assigners 
of  blame  can  be  misled,  and  plans  for  the  future  must  consider  never-to-be-reallzed 
contingencies.  It  is  this  apparently  unavoidable  making  of  mistakes  in  these  cases  that 
leads  to  some  of  the  deepest  problems  of  the  formal  analysis  of  mind. 

Some  studies  of  these  problems  occur  in  the  philosophical  literature,  the  most 
relevant  here  being  Rescher's  [1964]  analysis  of  counterfactual  conditionals  and  belief- 
contravening  hypotheses.  Ip  artificial  intelligence,  studies  of  perception,  ambiguity  and 
common -sense  have  led  to  knowledge  representations  which  explicitly  and  implicitly 
embody  much  information  about  typical  cases,  defaults,  and  methods  for  handling 
mistakes.  [Minsky  1974,  Reiter  1970]  Studies  of  problem-solving  and  acting  have 
attempted  representing  predictive  and  causal  knowledge  so  that  decisions  to  act  require 
only  limited  contemplation,  and  that  actions,  their  variations,  and  their  effects  can  be 
conveniently  described  and  computed.  [Hayes  1970,  1971,  1973,  Doyle  1970]  Indeed,  one 
of  the  original  names  applied  to  these  efforts,  "heuristic  programming",  stems  from 
efficiency  requirements  forcing  the  use  of  methods  which  occasionally  are  wrong  or  which 
fail.  The  possibility  of  fajlure  means  that  formalizations  of  reasoning  in  these  areas  must 
capture  the  process  of  revisions  of  perceptions,  predictions,  deductions  and  other  beliefs. 

In  fact,  the  nerd  to  revise  beliefs  also  occurs  in  deductive  systems  working  within 
traditional  logics.  Much  work  has  been  done  on  mechanized  proof  techniques  for  the 
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first-order  predicate  calculus.  CJ.A.  Robinson  1%S,  Nevins  1974,  Moore  197S3  Incomplete 
information  is  represented  in  these  systems  as  disjunctions  of  the  several  possibilities  where 
the  individual  disjuncts  may  be  independent  of  the  axioms  being  used,  that  is,  cannot  be 
proven  or  contradicted  by  arguments  from  the  axioms.  Thus,  proof  procedures  engage  In 
case-splitting , in  which  disjuncts  are  considered  in  a case-by-case  fashion.  At  any  given 
time,  the  proof  procedure  will  have  some  set  of  current  assumptions,  from  which  the 
current  set  of  formulas  has  been  derived.  If  failures  in  the  proof  attempt  lead  to 
investigating  new  splits,  and  so  change  the  set  of  current  assumptions,  the  current  set  of 
derived  formulas  must  also  be  updated,  for  it  is  the  current  set  of  formulas  on  which  the 
proof  procedure  bases  Its  actions. 

Classical  symbolic  logic  lacks  tools  for  describing  how  to  revise  a formal  theory 
to  deal  with  inconsistencies  caused  by  new  information.  This  lack  is  due  to  a recognition 
that  the  general  problem  of  finding  and  selecting  among  alternate  revisions  is  very  hard. 
(For  an  attack  on  this  problem,  see  Rescher  [19641  Quine  and  Ullian  C19783  survey  the 
complexities.)  Although  logicians  have  been  able  to  ignore  this  problem,  philosophers 
and  researchers  in  artificial  intelligence  have  been  forced  to  face  it  because  humans  and 
computational  models  are  subject  to  a continuous  flow  of  new  information.  One  important 
insight  gained  through  computational  experience  is  that  there  are  at  least  two  different 
problems  involved,  what  might  be  called  "routine  revision"  and  "world -model 
reorganization”. 

World -model  reorganization  is  the  very  hard  problem  of  revising  a complex 
■ model  of  a situation  when  it  turns  out  to  be  wrong.  Much  of  the  complexity  of  such 
models  usually  stems  from  parts  of  the  model  relying  on  descriptions  of  other  parts  of  the 
model,  such  as  inductive  hypotheses,  testimony,  analogy,  and  intuition.  An  example  of 
such  large-scale  reorganization  would  be  the  revision  of  a Newtonian  cosmology  to  account 
for  perturbations  in  Mercury's  orbit.  Less  grand  examples  are  children's  revisions  of  their 
world-models  as  discovered  by  Piaget,  and  the  revision  of  one's  opinion  of  a friend  upon 
discovering  his  dishonesty. 

Routine  revision,  on  the  other  hand,  is  the  problem  of  maintaining  a set  of  facts 
which,  although  expressed  as  universally  true,  have  exceptions.  For  example,  a program 
may  have  the  belief  that  all  animals  with  beaks  are  birds.  Telling  this  program  about  a 
platypus  will  cause  a contradiction,  but  intuitively  not  as  serious  a contradiction  as  those 
requiring  total  reorganization.  The  relative  simplicity  of  this  type  of  revision  problem 
stems  from  the  statement  itself  expressing  what  revisions  are  appropriate  by  referring  to 
possible  exceptions.  Such  relatively  easy  cases  include  many  forms  of  inferences,  default 
assumptions,  and  observations. 


Classical  logics,  by  lumping  all  contradictions  together,  has  overlooked  the 
possibility  of  handling  the  easy  ones  by  expanding  the  notation  in  which  rules  are  stated. 
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That  is,  we  could  have  avoided  this  problem  by  stating  the  belief  as  "If  something  is  an 
animal  with  a beak,  then  unless  proven  otherwise,  it  is  a bird."  If  we  allow  statements  of 
this  kind,  the  problem  becomes  how  to  coordinate  sets  of  such  rules.  Each  such  statement 
may  be  seen  as  providing  a piece  of  advice  about  belief  revision;  for  our  approach  to 
make  sense,  all  the  little  pieces  of  advice  must  determine  a unique  revision.  This  is  the 
subject  of  this  paper.  Of  course,  even  if  we  are  successful,  the  world -model 
reorganization  problem  will  still  be  unsolved.  But  we  hope  factoring  out  the  routine 
revision  problem  will  make  the  more  difficult  problem  clearer. 


Approaches  to  Non-Monotonic  Logic  and  the  Semantical  Difficulties 

The  study  of  the  problem  of  formalizing  the  process  of  revision  of  beliefs  has 
been  almost  completely  confined  to  the  practical  side  of  artificial  intelligence  research, 
where  much  work  has  been  done.  [Hewitt  1972,  McDermott  1974,  Stallman  and  Sussman 
1977,  Doyle  19783  Theoretical  foundations  for  this  work  have  been  lacking.  This  paper 
studies  the  foundations  of  these  forms  of  reasoning  with  revisions  which  we  term  non- 
monotonic logic. 

Traditional  logics  are  called  monotonlc  because  the  theorems  of  a theory  are 
always  a subset  of  the  theorems  of  any  extension  of  the  theory.  (This  name  for  this 
property  of  classical  logics  was  used,  after  a suggestion  by  Pratt,  in  Minsky's  [19743 
discussion.  Hayes  [19733  has  called  this  the  "extension"  property.)  In  this  paper,  by 
theory  we  will  mean  a set  of  axioms.  A more  precise  statement  of  monotonicity  is  this:  If 
A and  B are  two  theories,  and  A C B,  then  Th(A)  G Th(B),  where  Th(S)  = {p:  Shp)  is 
the  set  of  theorems  of  S.  We  will  be  even  more  precise  about  the  definition  of  P later. 

Monotonic  logics  lack  the  phenomenon  of  new  information  leading  to  a revision 
of  old  conclusions.  We  obtain  non-monotonic  logics  from  classical  logics  by  extending 
them  with  a modality  ("consistent")  well-known  in  artificial  intelligence  circles,  and  show 
that  the  resulting  logics  have  well-founded,  if  unusual,  model  and  proof  theories.  We 
introduce  the  proposition -forming  modality  M (read  "consistent").  Informally,  Mp  is  to 
mean  that  p is  consistent  with  everything  believed.  (See  [McCarthy  and  Hayes  19693.) 
Thus  one  smalt  theory  employing  this  modality  would  be 


(1)  noon  A M[sun-shining3  =>  sun-shining 

(2)  noon 

(3)  eclipse  =>  -<sun-shining, 
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If  we  add  the  axiom 
(S)  eclipse 

then  (4)  is  Inconsistent,  so  (4)  Is  not  a theorem  of  the  extended  theory. 

The  use  of  non-monotonic  techniques  has  some  history,  but  until  recently  the 
intuitions  underlying  these  techniques  were  inadequate  and  led  to  difficulties  involving  the 
semantics  of  non -monotonic  inference  rules  in  certain  cases.  We  mention  some  of  the 
guises  in  which  non -monotonic  reasoning  methods  and  belief  revising  processes  have 
appeared. 
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In  PLANNER  [Hewitt  19723,  a programming  language  bajed  on  a negationless 
calculus,  the  THNOT  primitive  formed  the  basis  of  such  reasoning.  THNOT,  as  a goal, 
succeeded  only  if  its  argument  failed,  and  failed  otherwise.  Thus  If  the  argument  to 
THNOT  was  a formula  to  be  proved,  the  THNOT  would  succeed  only  if  the  attempt  to 
prove  the  embedded  formula  failed.  In  addition  to  the  non-monotonic  primitive  THNOT, 
PLANNER  employed  antecedent  and  erasing  procedures  to  update  the  data  base  of 
statements  of  beliefs  when  new  deductions  were  made  or  actions  taken.  Unfortunately,  it 
was  up  to  the  user  of  these  procedures  to  make  sure  that  there  were  no  circular 
dependencies  or  mutual  proofs  between  beliefs.  Such  circularities  could  lead  to,  for 
example,  errors  of  groundless  belief  (due  to  two  mutually  supporting  beliefs)  or  non- 
terminating  programs  (a  more  technical  but  no  less  irritating  problem). 

Two  related  forms  of  non -monotonic  deductive  systems  are  those  described  by 
McCarthy  and  Hayes  [19693  and  Sandewall  [19723.  McCarthy  and  Hayes  give  some 
indications  of  how  actions  might  be  described  using  modal  operators  like  "normally”  and 
"consistent",  but  present  no  detailed  guidelines  on  how  such  operators  might  be  carefully 
defined.  Sandewall,  in  a deductive  system  applied  to  the  frame  problem  (which  is 
basically  the  problem  of  efficiently  representing  the  effects  of  actions;  see  [Hayes  19733) 
used  a deductive  representation  of  non -monotonic  rules  based  on  a primitive  called 
UNLESS.  This  was  used  to  deduce  conditions  of  situations  resulting  from  actions  extept  in 
those  cases  where  properties  of  the  action  changed  the  extant  conditions.  Thus  one  might 
say  that  things  retain  their  color  unless  painted. 

Sandewall's  interpretation  of  UNLESS  was  in  accord  with  then  current  intuitions: 
UNLESS(p)  is  true  if  p is  not  deducible  from  the  axioms  using  the  classical  first-order 
inference  rules.  Unfortunately,  this  definition  has  several  problems,  as  pointed  out  by 
Sandewall.  One  problem  is  that  it  can  happen  that  both  p and  UNLESS(  p)  are  deducible, 
since  from  a rule  like  "from  UNLESS(C)  infer  D"  D can  be  inferred,  but  at  the  same  time 
UNLESS(  D)  is  also  deducible  since  D is  not  deducible  by  classical  rules.  These  problems 
are  partly  due  to  the  dependence  of  the  notion  of  "deducible"  on  the  intention  of 
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deduction  rules  based  on  "not  deducible".  This  question -begging  definition  leads  to 
perplexing  questions  of  beliefs  when  complicated  relations  between  UNLESS  statements  are 
present.  For  example,  given  the  axioms 

A 

A A Unless!  B)  ^ C 

A A Unless! C)  ^ B, 

we  are  faced  with  the  somewhat  paradoxical  situation  that  either  B or  C can  be  deduced, 
but  not  both  simultaneously.  On  the  other  hand,  in  the  axiom  system 

A 

A A Unless!  B) 

A A Unless! C)  =>  D 

A A Unless!  D)  =>  E, 

one  would  expect  to  see  A,  C and  E believed,  and  B and  D not  believed. 

One  might  be  tempted  to  dismiss  these  anomalous  cases  as  uninteresting.  In  fact, 
such  cases  are  not  perverse;  rather,  they  occur  naturally  and  are  very  important  In  many 
applications.  One  common  way  they  are  introduced  is  by  employing  assumptions  which 
require  further  assumptions  to  be  made.  Of  course,  such  hierarchical  relations  between 
choices  can  be  avoided  in  any  fixed  theory  by  rephrasing  the  system  in  terms  of  one 
universal  state  variable,  but  such  a solution  is  practically  undesirable  and  inefficient 
instead,  it  is  necessary  to  employ  systems  which  allow  such  patterns  of  dependency 
relationships  to  occur. 

Spurred  by  Sandewall's  presentation  of  the  problems  arising  through  such  non- 
monotonic inference  rules,  Kramosil  C197S3  considered  sets  of  inference  rules  of  the  form 

"From  Fp,  ffq,  Infer  hr", 

where  F and  1/  are  tokens  of  the  meta-language  and  the  number  of  antecedents  can  be 
arbitrary.  Kramosil  defined  the  set  of  theorems  in  such  a system  as  the  intersection  of  all 
subsets  of  the  language  closed  under  the  inference  rules.  He  noted  that  this  set  may  not 
Itself  be  closed  under  the  inference  rules,  and  showed  that  in  the  special  case  In  which  the 
inference  rules  preserve  truth  values  (that  is,  are  effectively  monotonic)  that  if  the  set  of 
theorems  of  the  monotonic  inference  rules  alone  is  also  closed  with  respect  to  the  non- 
monotonic Inference  rules,  then  this  set  is  the  set  of  non-monotonic  theorems.  Kramosifs 
Conclusion  was  that  a set  of  inference  rules  defines  a formalized  theory  (one  in  which  all 
formulas  have  a well-defined  truth  value)  If  and  only  if  this  same  theory  is  that  of  the 
monotonic  inference  rules  alone,  which  he  interprets  to  mean  that  the  non-monotonic  rules 
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are  either  useless  or  meaningless. 

As  we  will  show  in  this  paper,  Kramosil's  interpretation  was  too  pessimistic  with 
regard  to  the  possibility  of  formalizing  such  rules  and  their  unusual  properties.  As  we 
have  argued  above,  the  purpose  of  non-monotonic  inference  rules  is  not  to  add  certain 
knowledge  where  there  is  none,  but  rather  to  guide  the  selection  of  tentatively  held  beliefs 
in  the  hope  that  fruitful  investigations  and  good  guesses  will  result.  This  means  that  one 
should  not  a priori  expect  non-monotonic  rules  to  derive  valid  conclusions  independent  of 
the  monotonic  rules.  Rather  one  should  expect  to  be  led  to  a set  of  beliefs  which  while 
perhaps  eventually  shown  incorrect  will  meanwhile  coherently  guide  investigations. 

In  recent  work,  McCarthy  and  Reiter  have  discussed  some  particular  forms  of 
non -monotonic  reasoning.  McCarthy  [1977]  outlines  a procedure  called  "circumscription", 
in  which  the  current  partial  extension  of  some  predicate  is  assumed  to  be  the  complete 
extension.  Of  course,  new  examples  of  the  predication  can  invalidate  previous 
completeness  assumptions.  Reiter  [1977]  analyzes  the  related  technique  of  assuming  false 
all  elementary  predications  not  explicitly  known  true.  He  outlines  some  conditions  under 
which  data  bases  remain  consistent  under  this  "closed  world  assumption",  and  shows 
certain  forms  of  data  bases  to  be  naturally  consistent  with  this  assumption.  However,  the 
closed  world  assumption  does  not  seem  to  allow  for  any  locality  of  definition  of  defaults, 
since  it  applies  this  assumption  to  all  primitive  predicates,  and  does  not  allow  defaults 
applied  to  defined  predicates.  Circumscription,  on  the  other  hand,  would  seem  to  be 
applicable  to  any  predicate  whatever.  Although  they  describe  tools  for  non-monotonic 
reasoning,  neither  McCarthy  nor  Reiter  discuss  the  problem  of  revision  of  beliefs. 

These  problems  were  mostly  resolved  in  the  Truth  Maintenance  System  (TMS)  of 
Doyle  [1978D  and  subsequent  related  systems  [London  1977,  McAllester  19781  in  which 
each  statement  has  an  associated  set  of  justifications,  each  of  which  represents  a reason  for 
holding  the  statements  as  a belief.  These  justifications  are  used  to  determine  the  set  of 
current  beliefs  by  examining  the  recorded  justifications  to  find  well-founded  support 
(non-circular  proofs)  whenever  possible  for  each  belief.  When  hypotheses  change,  these 
justifications  are  again  examined  to  update  the  set  of  current  beliefs.  This  scheme 
provides  a more  accurate  version  of  antecedent  and  erasing  procedures  of  PLANNER 
without  the  need  to  explicitly  check  for  circular  proofs.  The  non-monotonic  capability 
appears  as  a type  of  justification  which  is  the  static  analogue  of  the  PLANNER  THNOT 
primitive.  Part  of  the  justification  of  a belief  can  be  the  lack  of  valid  justifications  for 
some  other  possible  program  belief.  This  allows,  for  example,  belief  in  a statement  to  be 
justified  whenever  no  proof  of  the  negation  of  the  statement  is  known.  This 
representation  of  non -monotonic  justifications,  in  combination  with  the  belief  revision 
algorithms,  produced  the  first  system  capable  of  performing  the  routine  revision  of 
apparently  inconsistent  theories  into  consistent  theories.  Part  of  this  revision  process  is  a 
backtracking  scheme  called  dependency -directed  backtracking.  [Stallman  and  Sussman 
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1971]  We  will  analyze  this  system  in  more  detail  later,  but  first  we  provide  some 
theoretical  foundations  for  this  work. 

In  outline,  our  analysis  of  these  questions  will  proceed  as  follows.  We  first 
define  a standard  language  of  discourse  including  the  non-monotonic  modality  M 
("consistent").  The  semantics  of  the  language  is  based  on  models  constructed  from  fixed 
points  of  a formalized  non-monotonic  proof  operator.  Provability  in  this  system  is  then 
defined,  and  a proof  of  completeness  for  this  system  is  presented.  This  is  augmented  by  a 
proof  procedure  for  a restricted  class  of  theories  and  an  analysis  of  some  of  the  structure 
of  models  of  non -monotonic  theories. 


Linguistic  Preliminaries 

We  settle  on  a language  L which  will  be  the  language  of  all  theories  mentioned 
in  the  following.  L has  an  infinite  number  of  constant  letters,  variable  letters,  predicate 
letters,  and  propositional  constant  letters.  The  formation  rules  of-  the  language  are  as 
follows: 


The  atomic  formulas  of  L are  the  propositional  constant  letters  and  the  strings  of 
the  form  g(xj,_,xn)  for  predicate  letter  g and  variables  or  constants  Xj,  _ , xn.  The 
formulas  of  L are  either  atomic  formulas  or,  for  formulas  p,  q and  variable  letter  x, 
strings  of  the  form  Mp,  -’p,  p=>q,  and  Vxp.  We  use  the  usual  abbreviations  of  pAq  for 
->Cp=»-'q],  pvq  for  ->p=>q,  3xp  for  -’Vx-’p,  and  abbreviate  -’M-'p  as  Lp.  A statement  is  a 
formula  with  no  free  variables.  The  usual  criteria  for  determining  free  variables  apply 
(see  [Mendelson  1964]).  in  addition,  a variable  x is  free  in  Mp  if  and  only  If  x is  free 
in  p. 


In  this  paper,  the  letters  C,  D,  E and  F will  be  used  as  syntactic  variables 
ranging  over  propositional  constant  letters.  The  letters  p,  q and  r will  be  used  for 
formulas.  Implicit  quasi -quotation  is  used  throughout.  That  is,  if  p and  q are  formulas, 
p3q  is  the  formula  obtained  by  concatenating  p,  the  implication  symbol,  and  q.  This 
notation  extends  to  handle  finite  sets  of  formulas  in  the  following  way:  if  Q is  a finite  set 
of  formulas,  and  Q appears  in  a quasi-quoted  context,  it  always  stands  for  the 
conjunction  of  its  elements.  For  example,  Q^p  means  the  formula  obtained  by  conjoining 
all  the  elements  of  Q and  following  the  result  with  the  implication  symbol  and  p.  (If  Q is 
empty,  it  stands  for  Cv-*C).  Since  syntax  is  not  a preoccupation  of  this  paper,  the 
presentation  is  not  rigorous  in  specifying  the  number  of  arguments  of  predicate  letters, 
parenthesization,  etc 

The  inferential  system  used  defines  a first-order  theory  to  be  a set  of  axioms 
including  the  following  infinite  class  of  axioms: 
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For  all  formulas  p,  q and  r: 

(6)  (l)  p^tq^p] 

(ll)  CpsCqarDJaCCp^qDaCqar]] 

(iii)  [-q3ip]3[[iq3p]3q] 

(iv)  Yxp(x)=>p(t) 

where  p(x)  is  a formula  and  t is  a constant  or  a variable  free  for  x in  p(x)  and  p(t) 
denotes  the  result  of  substituting  t for  every  free  occurrence  of  x in  p(x),  and 

(v)  YxCp^ql^Cp^Vxq] 

if  p is  a formula  containing  no  free  occurrence  of  x.  (These  axioms  are  from  CMendelson 
19643.)  These  are  the  logical  axioms.  All  other  axioms  are  called  proper,  or  non-logical 
axioms.  The  theory  with  no  proper  axioms  is  called  the  predicate  calculus  (PC).  (Note 
that  this  theory  also  contains  strings  containing  the  letter  M,  so  it  is  actually  not  strict  PC.) 
The  sentential  calculus  (SC)  consists  of  axioms  which  are  instances  of  (i),  (ii)  and  (iii) 
only.  A theory  consisting  only  of  the  sentential  calculus  plus  a finite  number  of  statements 
is  called  a statement  theory. 

In  this  paper,  the  letters  A and  B will  be  used  to  stand  for  theories. 


Proof -Theoretic  Operators 

jfe 

The  monotonic  rules. of  inference  we  will  use  (also  from  CMendelson  19643)  are 

(7)  Modus  Ponens:  from  p and  p^q,  infer  q 
Generalization:  from  p,  infer  Yxp. 

If  S is  a set  of  formulas,  and  p follows  from  S and  the  axioms  of  A by  the  rules  (7),  we 
say  SP^p.  We  abbreviate  PpQ  by  P alone.  We  define  Th(S)  = {p:  SPp). 

The  particular  inference  rules  (7)  are  not  very  important.  Later  in  the  paper, 
when  we  concentrate  on  statement  theories,  the  rule  of  generalization  will  be  dropped 
without  much  fanfare.  All  that  is  important  is  that  the  operator  Th  have  the  following 
properties,  which  together  are  called  monotonicity: 

(8)  (i)AcTh(A) 

(li)  If  A c B,  then  Th(A)  c Th(B), 

and  the  property  (9)  of  idempottnce 

I (9)  Th(Th(A))  = Th(A). 

Clearly,  any  classical  inference  system  satisfies  these  conditions.  Condition  (9)  can  also  be 
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viewed  as  a fixed  point  equation,  stating  that  the  set  of  theorems  monotonicaily  derivable 
from  a theory  is  a fixed  point  of  the  operator  which  computes  the  closure  of  a set  of 
formulas  under  the  monotonic  inference  rules.  A well-known  property  of  the  monotonic 
inference  rules  is  that  Th(A)  is  the  smallest  fixed  point  of  this  closing  process;  in  fact, 
that  Th(A)  is  the  intersection  of  all  S such  that  A C S and  Th(S)  = S. 

In  order  to  deal  with  non-monotonlc  logic,  we  need  a new  inference  rule  like  this 
one  (which  we  will  take  back  Immediately) : 

(10)  "If  l/A  -p,  then  l-A  Mp." 

That  is,  if  a formula's  negation  is  not  derivable,  it  may  be  inferred  to  be  consistent.  As  it 
stands,  however,  this  rule  Is  of  no  value  because  it  is  circular.  "Derivable"  means 
"derivable  from  axioms  by  inference  rules",  so  we  cannot  define  an  inference  rule  in  terms 
of  derivability  so  casually. 

Instead,  we  retain  the  definition  of  h as  meaning  monotonlc  derivability,  and 
define  the  operator  NM  as  follows:  for  any  first-order  theory  A and  any  set  of  formulas 
S C L (L,  recall,  is  the  entire  language),  let 

(11)  NMa(S)  =Th(Au  AsA(S)), 
where  AsA(S),  the  set  of  assumptions  from  S,  is  given  by 

(12)  AsA(S)  = {Mq:  q € L and  ->q  < S}  - Th(A). 

Notice  that  theorems  of  A of  the  form  Mq  are  never  counted  as  assumptions.  NMA  takes  a 
set  S and  produces  a new  set  which  includes  Th(A)  but  also  includes  much  more: 
everything  provable  from  the  enlarged  set  of  axioms  and  assumptions  which  is  the 
original  theory  together  with  all  assumptions  not  ruled  out  by  S.  We  would  like  to  define 
TH(A),  the  set  of  theorems  non -monotonicaily  derivable  from  A,  by  analogy  with  the 
monotonic  case  as 

(13)  "TH(A)  = the  smallest  fixed  point  of  NMA" 

This  "definition"  tries  to  capture  the  idea  of  adding  the  non-monotonic  Inference  rule  (10) 
to  a first-order  theory  A.  This  is  plausible,  since  it  demands  a set  such  that  all  of  its 
elements  may  be  proven  from  axioms  and  assumptions  not  wiped  out  by  the  proofs. 
Unfortunately,  there  is  in  general  no  appropriate  fixed  point  of  NMA.  It  can  happen  that 
a theory  has  no  fixed  point  under  the  operator  NMA.  Even  if  there  are  fixed  points, 
there  need  not  be  a smallest  fixed  point. 


For  example,  consider  the  theory  T1  obtained  as 

(14)  T1  = PC  u { MC^D,  MDo-C  }, 

where  C and  D are  propositional  constants.  NMjj  has  two  fixed  points,  which  can  be 
called  FI  and  F2.  FI  contains  -'C  but  not  •’D,  and  F2  contains  -’D  but  not  -»C.  Since  -»D  Is 
not  in  FI,  MD  Is  In  FI,  and  so  •’C  is  in  FI.  Similarly,  the  presence  of  ->D  In  F2  keeps  -*C 
out  and  MC  in  F2.  The  problem  is  that  neither  FlnF2  nor  FluF2  is  a fixed  point  of 
NM-pj.  Since  neither  ->C  nor  ->D  is  in  FlnF2,  NIC  and  MD  are  both  in  NMyj(FlnF2),  so 
->C  and  -»D  are  in  NM-pj(FlnF2),  so  FlnF2  * NMpj(FlnF2).  Similarly,  both  -*C  and  ->0 
are  in  NMjj(F1uF2)  , so  applying  NMjj  to  the  union  results  In  a smaller  set.  So  In  this 
case  there  is  no  natural  status  for  -<C  and  -<D. 

An  example  of  a theory  with  no  fixed  point  of  the  corresponding  operator  Is  the 
theory  T2  obtained  as 

(15)  T2  = PC  u { MC^C  }. 

In  this  case,  NM^  has  no  fixed  point,  since  alternate  applications  of  the  operator  to  any 
set  produce  new  sets  in  which  either  both  MC  and  ->C  exist  or  neither  exist. 

Therefore,  we  must  accept  a somewhat  less  elegant  definition  of  TN.  Let  us  ) 

define  TH  as  follows: 

(16)  TH(A)  =n({L)u(S:  NMA(S)  =S)). 

That  is,  the  set  of  provable  formulas  is  the  intersection  of  all  fixed  points  of  NMA,  or  the 
entire  language  if  there  are  no  fixed  points.  We  will  use  the  abbreviation  At"p  to  indicate  ] 

that  p e TH(A).  With  this  definition,  neither  MC  nor  MD  is  a theorem  of  T1  in  (14), 
but  MCvMD  is.  In  the  following,  we  will  abbreviate  (S:  NMA(S)  = S)  as  FP(A),  and 
(somewhat  abusing  the  terms)  call  the  elements  of  this  set  fixed  points  of  the  theory  A. 

. ) 

This  definition  of  the  provable  statements  is  quite  similar  In  some  respects  to  the 
definition  of  compatibility-restricted  entailment  given  by  Rescher  [19641  In  that  system,  a 
set.  S of  formulas  is  said  to  CR-entail  a formula  p if  p follows  in  the  standard  fashion 
from  each  of  one  or  more  "preferred"  maximal  consistent  subsets  of  S.  In  the  present  case, 
we  obtain  the  preferred  subsets  of  formulas  as  fixed  points  of  the  operator  NMA  (the 
"compatible  subsets"),  but  in  contrast  to  normal  deducibility  where  the  empty  set  always 
suffices,  there  need  not  be  any  such  subsets.  This  case  produces  the  entire  language  as  the 
set  of  provable  formulas  by  vacuous  fulfillment  of  the  condition  of  derivabllity. 

One  unusual  consequence  of  this  definition  of  provability  is  that  the  deduction 
theorem  does  not  hold  for  non-monotonic  logic  For  example,  while  ( C ) h MLC,  it  Is 
not  true  that  h C=»MLC.  This  failure  of  the  deduction  theorem  is  to  be  expected, 
however,  since  the  non -monotonic  provability  of  a formula  depends  on  the  completeness 
of  the  set  of  hypotheses,  that  is,  on  the  fact  that  no  other  axioms  are  available.  The 
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deduction  theorem,  however,  would  If  valid  produce  implications  valid  no  matter  what 
other  axioms  were  added  to  the  system,  even  if  these  axioms  would  invalidate  the 
completeness  condition  used  in  the  derivation  of  the  implication.  One  should  note  that 
although  the  deduction  theorem  does  not  hold  in  general  in  non-monotonic  logic,  there  are 
many  particular  cases  in  which  it  does  hold.  For  instance,  if  some  conclusion  follows 
classically  from  some  hypotheses,  then  the  expected  implication  will  also  hold.  In 
addition,  not  all  properly  non-monotonic  theories  are  such  that  the  deduction  theorem 
fails.  It  is  an  interesting  open  problem  to  characterize  the  precise  cases  in  which  the 
deduction  theorem  is  valid  in  non-monotonic  theories. 

So  far,  we  have  defined  "provability"  without  defining  "proof".  For  a formula 
to  be  provable  in  a theory,  it  must  have  a standard  proof  from  axioms  and  assumptions 
in  each  fixed  point  of  the  theory,  and,  as  yet,  we  have  no  way  of  enumerating  fixed 
points  or  even  of  describing  one.  It  is  worth  note  that  when  a theory  has  more  than  one 
fixed  point,  the  fixed  points  are  inaccessible  in  the  sense  that  the  sequence  Th(A), 
NM^(Th(A)),  NM^(NM^(Th(A))),  ...  does  not  converge  to  a fixed  point.  We  have  a 
proof,  which  we  do  not  present  here,  that  if  has  exactly  one  fixed  point,  then  the 
fixed  point  is  the  limit  of  successive  applications  of  NM^  to  the  sequence  of  sets  starting 
with  A.  We  will  eventually  attend  to  defining  non-monotonic  proof,  but  first  we  turn  our 
attention  to  the  topic  of  semantics. 


Model  Theory 

The  semantics  of  non -monotonic  logic  is  built  on  the  notion  of  model,  just  like 
the  semantics  of  classical  logic.  In  fact,  the  definition  of  model  for  a non -monotonic 
theory  depends  directly  on  the  usual  definition. 

An  interpretation  V of  formulas  over  a language  L is  a pair  <X,  U>,  where  X is 
a nonempty  set,  and  U is  a function  which  associates  relations  and  values  over  the  domain 
X with  each  predicate,  variable,  constant  and  propositional  constant  letter  in  the  usual 
fashion.  That  is,  for  each  n-ary  predicate  letter  P,  ll(P)  c Xn;  for  each  variable  or 
constant  x,  U(x)  c X;  and  for  each  propositional  constant  letter  C,  U(C)  « {0,  1). 
Using  this  mapping  function  U we  define  the  value  V(p)  of  a formula  p in  the 
interpretation  V to  be  an  element  of  {0,  1}  satisfying  the  following  conditions:  For  an 
atomic  formula  p(xj,  „.,  xn),  the  value  is  1 if  <U(xj),  -.,  U(xn)>  « U(p),  and  is  0 
otherwise.  V(->p)  = 1 if  V(p)  = 0,  and  is  0 otherwise.  V(p^q)  = 1 if  ither  V(p)  =0  or 
V(q)  = 1,  and  is  0 otherwise.  V(Vxp)  = 1 If  for  all  y € X,  V'(p)  = 1,  where  V'  = <X 
Cy/  x3U>,  where  Cy/  x]U  is  the  mapping  derived  from  U by  changing  Its  value  at  the 
point  x to  the  value  y.  V(  Vxp)  = 0 otherwise.  If  V(p)  = 1,  we  say  that  V satisfies  p,  and 
write  V>»p. 
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A monotonle  model  of  a set  of  formulas  S C L Is  an  interpretation  V which 
satisfies  each  formula  in  S,  that  is,  V(p)  =1  for  each  formula  p € S.  A non-monotonlc 
model  of  a theory  A is  a pair  <V,  S>,  where  V Is  a monotonic  model  of  S,  and  S € FP(  A). 
When  the  context  makes  the  intended  meaning  clear,  we  will  use  the  term  model  of  A to 
mean  either  a non-monotonic  model,  a monotonic  model,  or  an  element  of  FP(A)  for  the 
theory  A. 

Although  unorthodox,  this  definition  provides  a meaning  for  formulas  Mp 
which  reflects  the  proof-theoretic  property  that  "p  is  consistent  with  what  Is  believed". 
This  notion  Is  made  precise  by  including  in  the  model  a set  of  "current  assumptions" 
(namely,  As^(S)).  A model  for  a theory  must  assign  1 to  all  of  these  assumptions,  so  the 
effect  is  that  Mp  is  assigned  1 in  a model  if  ->p  is  not  derivable  and  ->Mp  is  not  derivable 
from  the  current  assumptions  and  the  original  theory,  that  is,  if  p is  consistent  with  what 
is  "believed"  in  the  model.  Unfortunately,  Mp  may  be  assigned  1 in  some  model  even 
when  -'p  is  derivable  (for  example,  when  no  axiom  mentions  Mp  at  all).  This  indicates 
that  the  logic  is  too  weak.  We  will  discuss  this  question  later. 

A more  elegant  approach  towards  the  definition  of  non-monotonic  models  might 
involve  the  definition  of  a notion  of  "stable"  models,  followed  by  a demonstration  of  a 
connection  between  stable  models  and  fixed  points  of  theories.  This  would  give  the  model 
theory  some  independence  from  the  proof  theory.  We  have  developed  such  an  approach 
for  a stronger  non -monotonic  logic,  as  discussed  later,  but  this  sort  of  approach  seems 
doomed  to  failure  in  the  present  weak  logic. 

Much  of  the  unorthodoxy  of  this  semantics  stems  from  the  nature  of  non- 
monotonicity itself.  Because  the  intended  meaning  of  the  operator  M makes  reference  to 
the  other  formulas  of  the  theory,  an  unusual  holistic  semantics  results  in  which  the 
meanings  of  formulas  involving  M depend  on  the  theory  as  a whole.  Thus  the  semantics 
is  quite  unlike  the  Kripkean  semantics  developed  for  the  standard  modal  logics.  In  a later 
section,  we  will  examine  such  differences  in  more  detail. 

With  this  definition  of  model,  we  can  Justify  the  definition  of  provability. 
Theorem  I.  (Soundness)  If  Al“p,  then  Vhp  for  all  models  <V,  S>  of  A. 

Proof:  Assume  A bp.  If  there  are  no  models  of  A,  the  theorem  follows  trivially. 
Otherwise,  p is  a member  of  every  fixed  point  of  A.  But  since  every  model  of  A is  a 
monotonle  model  of  a fixed  point  of  A,  every  model  assigns  1 to  p.  I 

Theorem  2.  (Completeness)  If  Vhp  for  all  models  <V,  S>  of  A,  then  Ahp. 

Proof:  Assume  that  it  is  not  true  that  Ahp.  Thus  there  is  a fixed  point  S of  NM^ 
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which  does  not  contain  p.  Now  Th(S)  = S by  idempotence,  so  Stfp.  But  the  predicate 
calculus  is  complete,  so  some  monotonic  model  V of  S has  V(p)  = 0. 1 

It  is  not  surprising  that  we  have  completeness,  since  the  definition  of  truth 
makes  reference  to  provability.  The  proof  was  for  first-order  theories,  but  it  can  easily  be 
generalized  to  any  complete  formal  logic.  For  example,  if  we  take  care  not  to  confuse  M 
with  the  SS  operator  "possibly",  we  can  easily  get  a complete  non-monotonlc  extension  of 
SS.  However,  none  of  these  observations  are  very  interesting  unless  we  have  some 
assurance  that  provability  is  decidable.  We  will  shortly  present  a proof  procedure  for 
non -monotonic  statement  theories. 


Fixed  Points  of  Theories 

This  section  will  try  to  analyze  the  structure  of  fixed  points  for  non-monotonic 
theories.  We  investigate  the  number  of  fixed  points  of  theories,  and  their  relation  to  the 
provable  statements. 

Non -monotonic  theories  may  have  varying  numbers  of  fixed  points.  Classically 
inconsistent  theories  have  just  one  fixed  point  (the  entire  language  L)  and  thus  no 
models.  The  theory  T2  in  (IS)  also  has  no  models  due  to  the  lack  of  a fixed  point. 
Theories  formulated  in  strictly  classical  language  have  exactly  one  fixed  point,  as  does  the 
theory 

(17)  T3  = PC  u { MC=»C  }. 

Some  theories  have  several  fixed  points,  e.g.  T1  in  (14).  It  is  also  possible  for  a theory  to 
have  an  infinite  number  of  fixed  points.  This  is  exemplified  (we  assume  equality  and  an 
infinite  domain  of  unequal  constants)  by 

(18)  T4  = PC  U { Vx[Mp(x)3[p(x)AVy[x*y3-p(y)]]]  }. 

Even  in  theories  having  only  one  fixed  point,  the  non -monoton ically  provable 
statements  need  not  coincide  with  the  classically  provable  statements.  Theory  T3  above  is 
an  example,  for  C € TH(T3),  but  C < Th(T3).  Some  statements  will  be  provable  in 
theories  with  multiple  fixed  points,  but  will  have  different  proofs  in  each  fixed  point.  For 
example,  MCvMD  e TH(T1),  and  3xNlp(x)  € TH(T4). 

The  classical  results  concerning  truth  and  provability  for  logical  languages  are 
that,  for  a given  theory  A,  a formula  is  valid  in  A (true  In  all  models  of  A)  if  and  only 
if  it  is  provable  in  A,  and  that  the  theory  has  a model  if  and  only  if  It  is  consistent 
(cannot  be  used  to  derive  a contradiction).  In  non-monotonlc  logic,  somewhat  different 
circumstances  obtain.  As  Theorems  1 and  2 have  shown,  validity  in  a theory  remains, 
equivalent  to  provability.  However,  from  the  definition  of  models  of  non-monotonic 
theories,  it  follows  that  a non-monotonic  theory  A has  a model  only  If  the  operator  NM^ 
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has  a classically  consistent  fixed  point  Non -monotonic  theories  can  lack  fixed  points  (e.g. 
the  theory  Tl),  but  we  have  defined  such  theories  to  be  inconsistent 

The  basic  structure  theorem  states  that  all  fixed  points  of  a non-monotonic 
theory  A are  (set  inclusion)  minimal  fixed  points. 

Theorem  3.  If  Sj,  S2  € FP(  A)  and  Sj  c S2,  then  Sj  = S2. 

Proof:  If  Sj  c S2,  then  As^^)  c As^(S^),  so  by  the  monotonicity  of  Th, 

NM^(S2)  C NMa(Sj).  But  since  Sj  and  S2  are  fixed  points  of  this  operator,  S2  C Sj,  so 
S1  = s2-  * 

This  result  suggests  that  strict  set-theoretic  minimality  is  not  a particularly  interesting 
distinction  among  fixed  points.  In  the  following  sections  we  will  make  steps  towards  more 
interesting  classifications,  but  without  a fully  satisfactory  solution.  Important  applications 

of  this  theorem  are  the  following  two  corollaries.  If 

Corollary  4.  If  L is  a fixed  point  of  A,  then  it  is  the  only  fixed  point  of  A. 

Proof : If  S € FP(  A) , then  S c L,  so  S 8 L by  Theorem  3. 1 

Note  that  if  L is  a fixed  point  of  A,  then  A is  classically  inconsistent,  that  is,  Th(A)  = L. 

Corollary  5.  If  p,  ->p  € TH(A),  then  TH(A)  = L. 

Proof : If  A has  no  fixed  points,  the  theorem  follows  by  definition.  If  both  p and  -<p 
are  members  of  a fixed  point  S of  A,  then  since  fixed  points  are  closed  under  monotonic 
deduction,  S - L.  But  then  FP(  A)  = (L),  so  TH(A)  = L.  I 

With  these  results,  we  can  study  the  notion  dual  to  provability  in  non-monotonic 
theories.  We  say  that  a formula  p is  arguable  from  A if  p € UFP(A),  that  is,  If  some 
fixed  point  of  A contains  p.  Clearly,  all  provable  formulas  are  arguable.  Our  next 
theorem  shows  that  in  consistent  theories,  provability  and  arguability  are  almost  dual 
notions. 

Theorem  6.  If  A is  consistent  and  p is  provable  In  A,  then  -»p  Is  not  arguable. 

Proof:  If  p is  provable  in  a consistent  theory  A,  then  any  S « FP(A)  containing  ■’p 
would  be  inconsistent,  which  is  impossible  by  Corollary  4. 1 

V 

Unfortunately,  the  converse  of  this  theorem  is  not  true.  For  example,  In  the  theory  with 
no  proper  axioms,  ■€.  is  not  arguable,  but  C is  not  provable.  We  will  term  the  notion 


dual  to  provability  concelvablllty.  Thus  all  arguable  formulas  are  conceivable,  but  not  vice 
versa.  We  say  doubtless  p if  and  only  if  ■•p  is  not  arguable.  In  PC,  C is  doubtless  yet  not 
arguable,  and  in  the  theory 

( 19)  TS  = PC  u { MC=>C,  M-C^-C  ) 

C is  arguable  yet  not  doubtless.  Summarizing,  we  have  the  following  diagram  of  sets  of 
formulas  with  these  properties,  where  all  inclusions  are  proper. 


DOUBTLESS 


It  is  worthy  of  note  that  the  provable  and  arguable  statements  of  a consistent 
theory  cannot  be  classified  as  the  monotonic  theorems  of  the  theory  augmented  by  some  set 
of  assumptions.  That  is,  the  set  of  arguable  statements  may  be  inconsistent  yet  not  sum  to 
the  entire  language  L,  and  the  set  of  provable  statements  may  Involve  assumptions  that 
vary  from  fixed  point  to  fixed  point,  as  in  the  theory  'T2  above,  where  neither  the 
assumption  MC  nor  the  assumption  MD  is  present  in  both  fixed  points. 

Another  natural  classification  is  that  of  "decision".  We  say  that  p is  decided  by  a 
consistent  theory  A If  and  only  if  for  all  S € FP(A),  either  p € S or  ->p  « S.  The  dual  to 
this  notion  is  Just  its  negation.  In  this  case  we  say  that  A is  ambivalent  about  p if  p is  not 
decided  by  A. 

Corollary  7.  If  p is  doubtless  yet  decided  by  A,  p is  provable. 

Proof:  For  each  S « FP( A) , either  p € S or  ->p  e S;  yet  -*p  < S,  so  p € S.  I 


The  Evolution  of  Theories 

We  now  turn  to  analyzing  inter-theory  relationships.  These  are  important  In 
describing  the  effects  of  incremental  changes  in  the  set  of  axioms,  and  this  is  the  task  of 
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practical  systems  like  the  TMS  [Doyle  19183,  which  has  the  task  of  maintaining  a 
description  of  a model  of  a changing  set  of  axioms.  As  we  shall  see,  there  are  many 
unusual  phenomena  which  occur  when  theories  change.  The  most  striking  result  shows 
that  the  analogue  of  the  compactness  theorem  of  classical  model  theory  does  not  hold  for 
non -monotonic  theories.  This  has  important  repercussions  on  the  methods  useful  in 
constructing  "models"  of  theories  incrementally. 

Theorem  8.  There  exists  a consistent  theory  with  an  inconsistent  subtheory. 

Proof : Consider  the  consistent  theory 

(20)  T6  = PC  u { MC^-C,  •’C  }. 

The  subtheory  PC  u { MC^-C  ) I*  inconsistent.  I 

Note,  however,  that  the  theory  T6  in  (20)  has  as  a thesis  the  formula  -»MC,  which  makes 
it  quite  different  than  some  previously  considered  theories.  We  will  discuss  this  type  of 
theory  in  more  detail  later. 

In  many  cases,  the  changes  in  fixed  points  induced  by  changes  in  theories  is  less 
drastic  than  those  apparent  in  the  previous  theorem.  The  simplest  cases  are  as  follows. 

Theorem  9.  If  A is  consistent,  and  p is  arguable  in  A,  then  A'  - Au(p)  is  consistent,  and 
FP(  A')nFP(  A)  0 0. 

Proof:  Since  p is  arguable,  there  is  some  S « FP(A)  such  that  p « S.  But  clearly,  S is 
then  also  a fixed  point  of  NM^».  I 

Unfortunately,  this  theorem  cannot  be  strengthened  to  conclude  that  FP(A')  is  contained 
in  FP(  A),  since  in  the  theory 

(21)  T7  s PC  u { MC=>-*D,  MDu-C,  ) 

there  are  two  fixed  points,  call  them  FI  and  F2,  with  •€,  « FI,  E « FI  and  -»D  * F2, 
E t F2.  Extending  this  theory  by  adding  the  axiom  E produces  a theory  also  with  two 
fixed  points,  one  of  which  is  FI,  but  the  other  fixed  point  F3  differs  from  F2  in  that 
E « F3  and  M->E  t F3. 

Theorem  10.  If  A and  A’  * Au{p)  are  consistent  and  FP(A)nFP(A')  0 0 , then  p is 
arguable  In  A. 

Proof : Since  p « A',  p « S for  every  S * FP(  A').  Thus  p c S for  some  S « FP(  A).  I 

Theorem  II.  If  A and  A'  - Au{p)  are  consistent,  then  p is  provable  in  A if  and  only  if 
FP(A’)  * FP(  A). 
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Proof : If  p is  provable  in  A,  p € S for  every  S € FP(  A) , so  each  member  of  FP(  A)  is 
also  a member  of  FP(A').  If  FP(A)  = FP(A'),  then  since  p € S for  each  S € FP(A’), 
p € S for  each  S « FP(  A),  so  p is  provable  in  A.  I 

The  import  of  these  theorems  is  that  if  a new  axiom  is  already  implicit  in  the 
current  axioms,  either  no  change  of  fixed  point  is  necessary,  or  a simple  shift  to  a 
different  fixed  point  of  the  previous  axioms  is  allowable.  When  considering  changes 
which  delete  axioms  from  theories,  the  basic  problem  is  the  non -compactness  result 
mentioned  above.  Other  interesting  questions  are  of  the  form  "how  few  axioms  must  be 
added  or  removed  to  remove  p".  Answers  to  these  questions  will  in  general  depend  on  the 
specific  theory  in  question. 

Another  important  phenomenon  is  the  "hierarchy  of  assumptions"  [Doyle  1978], 
in  which  some  non -monotonic  choices  depend  on  others.  This  manifests  in  terms  of  fixed 
points  as  the  addition  of  new  axioms  increasing  the  number  of  fixed  points  of  the  theory. 
For  example,  adding  the  axiom  E to  the  theory 
( 22)  T8  = PC  u { [EaMC]=>-D,  [EaMD]=>-C  } 

increases  the  number  of  fixed  points  from  one  to  two.  In  this  case,  E can  be  interpreted  as 
the  reason  for  choosing  between  ->C  and  ->D. 

To  get  a global  view  of  theory  evolution,  we  consider  the  set  of  all  consistent 
theories  containing  a consistent  theory  A as  a subtheory.  For  a formula  p,  we  can 
consider  the  evolution  of  the  properties  of  p of  being  arguable,  provable,  or  decided  over 
sequences  of  extensions  of  the  theory  A.  The  evolution  of  arguability  is  mainly  a question 
of  control  structures;  this  is  the  point  of  the  encoding  of  control  primitives  in  non- 
monotonic dependency  relationships  given  by  Doyle  [19783.  We  have  at  present  no  way  of 
describing  the  evolution  of  decision.  However,  analysis  of  the  relationships  between  the 
theories  and  their  extensions  will  shed  light  on  how  our  semantics  for  Mp  matches  the 
Intuitive  notion  of  "p  can  be  added  consistently  to  the  theory". 

We  say  that  p is  assumable  in  a consistent  theory  A if  the  theory  Au{p)  is  also 
consistent  We  name  the  dual  notion  by  saying  that  p is  uncontroverslal  in  a theory  if  ->p 
is  not  assumable  in  the  theory.  The  matching  of  the  semantics  of  non-monotonic  logic 
with  this  more  standard  notion  of  consistency  will  be  apparent  upon  examining  the 
correlation  between  assumability  of  p and  the  arguability  of  Mp  in  a theory,  since  this 
latter  condition  would  seem  to  say  there  is  a coherent  interpretation  of  the  axioms  in 
which  p is  consistent.  Our  logic  is  weak,  however,  and  so  this  correlation  is  weak.  (The 
correlation  is  much  stronger  in  the  stronger  logics  mentioned  later.)  As  an  approximation, 
we  note  that  Mp  is  arguable  if  p is  arguable,  and  so  instead  attempt  to  correlate 
arguability  of  p with  assumability  of  p.  This  correlation  is  as  follows.  By  Theorem  9 the 
assumable  formulas  includes  the  arguable  formulas,  but  not  vice  versa  since  C Is  assumable 
but  not  arguable  in  PC.  The  assumable  formulas  are  incomparable  with  the  conceivable 
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formulas,  since  C is  conceivable  but  not  assumable  in 

( 23)  T9  = PC  u { C=>CDa[MD=K)]]  ), 

and  ->C  is  assumable  but  not  conceivable  in  the  theory  T3  of  (17).  Also,  the  assumable 
formulas  are  incomparable  with  the  uncontroversial  formulas,  since  C is  assumable  but  not 
uncontroversial  in  PC,  and  C is  uncontroversial  but  not  assumable  in 

(24)  T10  = PC  u { C^DaCMD^DU,  -C3[EaCME=»-.EM  ). 

We  specify  another  classification  by  saying  that  a formula  p is  safe  in  a 
consistent  theory  A if  and  only  If  p € TH(A')  for  all  consistent  A*  such  that  A C A',  and 
that  p is  forseeable  if  and  only  if  ->p  is  not  safe.  Let  Safe(A)  = (p:  p is  safe  in  A).  We 
then  can  characterize  the  set  Safe(A)  as  follows. 

Theorem  12.  If  A is  consistent,  then  Safe(A)  is  the  least  set  such  that  the  following  three 
conditions  hold : 

(i)  A C Safe(A) 

(ii)  Th(Safe( A))  = Safe(A) 

(iii)  If  p e Safe(A),  then  Mp  € Safe(A). 

Proof:  The  first  two  cases  are  correct  because  all  formulas  classically  deducible  from  safe 
formulas  (in  particular  the  axioms)  will  remain  classically  deducible  when  the  set  of 
axioms  is  enlarged.  The  case  of  interest  is  (iii),  which  declares  that  "covered" 
assumptions  are  safe.  That  is,  if  p € Safe(A),  then  ->p  cannot  be  a member  of  any 
consistent  extension  of  A,  so  Mp  will  be  a member  of  every  consistent  extension;  thus  Mp 
is  safe.  I 

it  is  clear  that  all  safe  formulas  are  both  assumable  and  uncontroversial,  and 
that  these  inclusions  are  proper.  Elementary  considerations  show  further  that  the 
forseeable  formulas  include  the  assumable  and  uncontroversial  formulas,  but  again,  not 
vice  versa.  Also,  the  provable  formulas  properly  include  the  safe  formulas  with  theory  T3 
in  (17)  as  the  example,  and  the  forseeable  formulas  properly  include  the  conceivable 
formulas  via  the  same  example. 

A weakened  version  of  assumability  is  produced  by  saying  that  p is  realizable  in 
a consistent  theory  A if  there  is  some  consistent  theory  A*  such  that  A C A'  and  p € A'. 
We  also  say  that  p is  undeniable  if  and  only  if  ->p  is  not  realizable.  Clearly,  the  realizable 
formulas  include  the  assumable  formulas,  but  the  converse  does  not  hold  as  MC^C  is  not 
assumable  in  PC  but  is  an  axiom  of  the  consistent  theory  T6  in  (20).  The  forseeable 
formulas  obviously  include  the  realizable  formulas,  but  not  vice  versa  since  C is  forseeable 
but  not  realizable  in  the  theory  T9  of  (23).  Also,  the  realizable  formulas  are 
incomparable  with  the  conceivable  formulas,  since  C is  conceivable  but  not  realizable  In 
T9  of  (23),  and  •*C  is  realizable  but  not  conceivable  in  T3  of  (17).  The  example  of  T10 
in  (24)  provides  an  example  of  what  following  Kripke  might  be  called  the  paradoxical 
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formulas  of  a theory,  formulas  ( in  this  case  C)  such  that  neither  they  nor  their  negations 
are  realizable.  The  example  of  T9  in  (23)  provides  an  example  of  what  might  be  called 
the  intrinsic  formulas  of  a theory,  formulas  (in  this  case  -*C)  which  are  realizable  and 
undeniable. 

Putting  ail  these  observations  together,  we  arrive  at  the  following  diagram  of 
inclusions. 


This  illustrates  the  distinction  between  arguability  and  assumability,  that  argu ability  does 
not  completely  capture  the  notion  of  assumability.  This  is  probably  to  be  expected  from 
the  Tarski-Cddel  results  on  the  indescribability  of  consistency  within  consistent  theories.  It 
would  be  interesting  to  see  a more  careful  analysis  of  this  situation.  One  goal  of  such  an 
analysis  might  be  to  connect  the  logic  of  incomplete  information  implicit  in  non-monotonic 
logic  to  other  logics  of  incomplete  information,  such  as  the  S4  interpretation  of  the 
intuitiontstic  predicate  calculus  CHeyting  19S6,  Kripke  19653,  Kripke's  theory  of  truth 
CKripke  1975;  cf.  Martin  and  Woodruff  1976,  Takeuti  19683,  and  Lipski's  theory  of 
incomplete  models  CLipski  1977;  cf.  Van  Frassen  1966,  Robinson  19651  The  S4 
interpretation  of  IPC  tries  to  describe  the  gradual  accumulation  of  mathematical  truths, 


and  seems  closely  related  to  our  notion  of  safety.  Kripke's  theory  of  truth  has  strong 
similarities  to  the  current  theory,  for  it  develops  models  for  the  truth  of  self-referential 
and  theory -referential  statements  which  are  fixed  points  of  a certain  operator  on  partially 
defined  truth -predicates.  Since  the  acceptable  models  of  truth  are  restricted  to  be  fixed 
points  of  this  operator,  there  can  be  never-decided  paradoxical  statements.  The  logic  of 
the  natural  notions  of  possibility  and  necessity  thus  are  not  dual,  but  instead  form  a 
diamond  relationship  similar  to  the  case  for  non -monotonic  assumability  and  safety. 
Lipski's  theory  of  incomplete  models  is  considerably  simpler  and  stronger  than  either 
Kripke's  theory  or  non-monotonic  logic,  for  his  incomplete  models  can  be  constructed  from 
any  partial  extensions  of  the  predicates  of  the  language,  thus  producing  a certain 
completeness  in  the  set  of  possible  models.  This  logic  is  particularly  interesting  in  that  it 
allows  for  the  truth  value  of  formulas  to  change  arbitrarily  often  upon  successive 
extensions  of  models. 

In  the  above  we  have  been  concerned  only  with  ways  of  describing  the  evolution 
of  theories  upon  the  addition  of  new  axioms.  One  might  also  define  descriptors  for  the 
case  of  removing  axioms,  or  for  the  past  history  of  provability.  For  example,  assuming 
that  all  subtheories  of  A are  consistent,  we  might  say  that  p is  untested  if  p is  conceivable 
in  every  subtheory  of  A.  (Cf.  CHeyting  19S6,  p.  US])  Are  there  interesting  descriptors  of 
this  kind?  If  so,  what  are  their  properties?  We  have  not  investigated  these  questions,  but 
suspect  they  may  be  fruitful. 


A Proof  Procedure  for  Non-Monotonic  Statement  Theories 

In  this  section,  we  demonstrate  a proof  procedure  for  the  non-monotonic 
statement  logic  This  procedure  is  based  on  the  semantic  tableau  method  for  the  ordinary 
sentential  calculus.  [Beth  19583  in  this  method,  a systematic  attempt  is  made  to  find  a 
falsifying  interpretation  for  a formula  under  test.  The  formula  is  labeled  "false"  or  "0", 
and  semantic  rules  guide  further  labeling  in  an  obvious  way.  For  example,  to  show 

[C  a D]  a C-C  v D], 
start  by  labeling  the  formula  false: 

IC  3 DI  3 [-C  v D1 
0 

For  it  to  be  false,  its  antecedent  must  be  true  and  its  consequent  false: 

1C  a DI  3 K v 01 
1 0 0 


and  similarly  for  disjunction  and  negation.  In  order  to  proceed  further,  the  tableau  must 
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split  into  two  cases  to  handle  the  embedded  implication: 


I. 

1C 

3 D) 

3 

I-C 

v 01 

0 

1 

0 

01 

0 

II. 

(C 

3 01 

3 

K 

v 01 

1 

1 1 

0 

01 

0 0 

In  case  I.,  C is  labeled  both  1 and  0.  In  case  II.,  D is  labeled  both  1 and  0.  Thus  there  is 
no  falsifying  model,  and  the  formula  is  valid. 


On  the  other  hand,  consider  the  tableau  for  [C  v D3  3 tC  A D3: 


(25) 


1C  v D)  3 IC  /v  D) 
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(C 
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01 

3 

IC 
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0) 

1 

1 

0 

0 

IC 

V 

01 

3 

IC 

A 

01 

CL0SE0 

1 

1 

0 

0 

0 

IC 

V 

Dl 

3 

IC 

A 

Dl 

OPEN 

1 

1 

0 

0 

1 

0 

0 

[C 

V 

01 

3 

IC 

A 

0) 

1 

1 

0 

0 

IC 

V 

01 

3 

IC 

A 

01 

OPEN 

0 

1 

1 

0 

0 

0 

1 

IC 

V 

01 

3 

IC 

A 

01 

CL0SE0 

1 

1 

1 

0 

1 

0 

0 

This  tableau  has  been  split  twice,  for  a total  of  four  branches.  Two  branches  are  closed  as 
before,  that  Is,  some  formula  is  labeled  both  true  (1)  and  false  (0).  But  two  a rt  open, 
that  is,  there  is  an  exhaustive  consistent  labeling  of  formulas.  This  means  that  there  are 
two  falsifying  models,  so  the  formula  is  not  valid.  (Notice  that  we  could  have  been  more 
clever  in  labeling  the  lines  of  this  tableau.  In  the  second  line,  for  instance,  we  could  have 
labeled  both  C's  at  once,  forcing  the  D's  to  be  labeled  0,  and  arriving  at  an  open  branch 
immediately.) 
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We  will  extend  this  procedure  to  handle  non-monotonic  statement  theories. 
Without  going  into  details,  we  assume  an  implementation  of  the  algorithm  just  alluded  to, 
which  takes  a goal  and  generates  the  complete  tableau  for  it.  (E.g.,  the  goal  of  (2S)  is 
CCvDI^CCaDI)  A tableau  has  several  branches,  each  a consistent  labeling  of 
subformulas  if  one  exists  (when  the  branch  is  open),  else  a partial  labeling  (when  it  is 
closed).  The  tableau  is  the  result  of  applying  all  rules  to  the  goal.  Two  tableaux  are 
equal  if  and  only  if  they  have  the  same  goal.  The  tableau  of  a formula  is  obviously 
computable,  since  the  number  of  branches  is  no  greater  than  2^,  where  N Is  the  number 
of  subformulas  of  its  goal. 

We  state  without  proof  the  following  properties  of  the  tableau  method : 

The  procedure  is  complete  in  the  sense  that  a formula  is  provable  if  and  only  if 
its  tableau  has  all  closed  branches. 

The  procedure  is  exhaustive  in  the  following  sense:  if  X and  Y are  sets  of 
formulas  such  that  X c Y and  YP^qp  but  XP^qp,  then  in  the  tableau  for  p,  in  every 
open  branch  there  is  some  element  of  Y-X  labeled  0. 

For  non-monotonic  logic,  we  need  to  generalize  to  tableau  structures.  If  A is  a 
statement  theory,  and  p is  a formula  whose  provability  is  to  be  tested,  then  <A,  p,  t,  X> 
is  an  A -tableau  structure  if  and  only  if  t is  the  tableau  with  goal  A=>p;  and  X is  the 
smallest  set  such  that  t « X,  and  if  t*  e X,  then  if  Mq  appears  labeled  0 in  some  branch  b 
of  t',  then  t"  € X,  where  t”  is  the  tableau  with  goal  A3->q«  In  this  last  situation,  we  say 
that  t'  mentions  t"  in  branch  b. 

In  the  classical  procedure,  a tableau  is  closed  if  all  its  branches  are,  and  this  can 
be  determined  unambiguously.  In  the  case  of  a tableau  structure,  we  can't  tell  whether  a 
tableau  is  closer  until  we  have  determined  the  status  of  the  tableaux  it  mentions,  and 
there  may  be  loops  to  contend  with. 

Therefore  we  introduce  the  notion  of  an  admissible  labeling  of  a tableau 
structure,  an  assignment  of  one  label,  either  OPEN  or  CLOSED,  to  each  tableau  In  the 
structure,  such  that: 

(a)  If  the  tableau  with  goal  A^q  is  labeled  OPEN,  then  every  occurrence  of  Mq  is 
labeled  1 in  every  tableau,  and 

( b)  A branch  is  labeled  CLOSED  if  and  only  if  some  formula  is  labeled  both  0 and  1 
in  that  branch. 

The  proof  procedure  creates  tableau  structures  and  labels  them,  as  follows. 


Clven  A and  p,  the  first  step  is  to  construct  the  tableau  with  goal  A^p.  All  other  tableaux 
needed  are  then  constructed.  That  is,  if  some  constructed  tableau  has  a formula  Mq 
labeled  0 in  an  open  branch,  then  construct  the  tableau  with  goal  A=>~<q  If  that  tableau 
was  not  previously  constructed.  The  tableau  structure  is  then  checked  for  admissible 
labelings  by  examining  all  possible  labelings  of  the  tableaux  for  labelings  satisfying  the 
admissibility  test.  This  test  consists  of  first  labeling  with  1 each  occurrence  of  Mq  in  the 
tableau  structure  provided  that  the  structure  contains  the  tableau  with  goal  A=>-<q  labeled 
OPEN.  Then  the  labeling  is  admissible  if  all  tableaux  labeled  OPEN  have  some  open 
branch,  and  all  tableaux  labeled  CLOSED  have  every  branch  closed.  If  in  all  admissible 
labelings  the  initial  tableau  with  goal  A^p  is  labeled  CLOSED,  then  p is  provable,  and 
otherwise  is  unprovable.  We  will  shortly  prove  the  correctness  of  this  algorithm. 

We  first  present  some  examples.  In  the  theory 
(26)  Til  = SC  u { MC^D,  MD^E,  ME^F  ) 

(see  CSandewall  1972])  the  Til -tableau  structure  for  -»F  has  only  one  admissible  labeling: 


ncD-o 

t -F 

1 t’  -£ 

It”  -0 

l »•••  -C 

l 

01 

1 01 

1 01 

1 01 

MCb-E 

ME 

1 no 

1 nc 

1 

0 

1 0 

1 0 

MEd-F 

1 

CLOSED 

I OPEN 

| CLOSED 

| OPEN 

Notice  that  we  don't  bother  to  copy  the  axioms  in  each  tableau,  but  only  those  parts  that 
become  relevant.  The  tableau  structure  shows  that  -»F  € TH(Tll),  but  -C  d TH(Tll). 

Another  example  is  the  T12-tableau  structure  for  -C,  where 

(27)  T12  = SC  u { MC^D,  MD^-C  ). 


T12  - MCa-O  | 

t -C 

| t'  HO 

1 1 

01 

1 01 

MOd-C  | 

no 

1 nc 

1 1 

0 

1 0 

This  tableau  structure  has  two  admissible  labelings.  If  t'  is  labeled  OPEN,  t Is  labeled 
CLOSED,  and  vice  versa.  So  there  is  an  admissible  labeling  in  which  t is  labeled  OPEN, 
and  -<C  is  not  provable. 

On  the  other  hand,  the  T12-tableau  structure  for  MCvMD  looks  like  this: 


T12  - HCd-0 

1 t ncvtio 

| t’  < 

1 

| 0 00 

1 01 

HDd-C 

1 

1 no 

1 

1 

1 0 

Again,  there 

are  two  admissible  labelings, 

MCvMD  is  a 

theorem  of  T12. 

| f -0 
I 01 

I nc 

I 0 

but  in  both  of  them  t is  labeled  CLOSED,  so 


(The  tableau  structures  just  given  are  not  really  complete  It  is  left  as  an 
exercise  for  the  reader  to  show  that  using  the  axioms  to  split  each  tableau  into  branches 
will  not  change  the  outcome.) 

Theorem  1 3.  The  proof  procedure  always  halts  and  finds  all  admissible  labelings  of  the 
tableau  structure  for  its  goal. 

Proof : The  theorem  is  easily  seen  true  by  noting  that  because  the  set  of  proper  axioms 
of  the  theory  is  finite,  only  a finite  set  of  tableaux  can  be  constructed.  Once  this  is  done, 
there  are  only  finitely  many  labelings  to  cycle  through,  with  trivial  checks  for 
admissibility  and  provability.  I 

The  next  two  lemmas  guarantee  the  correctness  of  the  approach. 

Lemma  14.  If  S is  a fixed  point  of  NM^,  there  is  an  admissible  labeling  of  the  tableau 
structure  for  A=>p  such  that  p € S if  and  only  if  the  tableau  is  labeled  CLOSED  In  that 
labeling. 

Proof:  Let  S c FP(A).  We  will  construct  the  admissible  labeling.  In  the  tableau 
structure  for  A^p,  label  a tableau  OPEN  if  the  goal  of  the  tableau  is  A=>q  and  q t S. 
Consider  one  of  the  remaining  tableaux,  with  goal  A^r.  There  must  be  a minimal  set  of 
elements  X = {Mqj,  Mqn),  such  that  X C As^(S)  and  Xl-^r.  If  X = <*,  then  the 
tableau  for  A=>r  is  closed  no  matter  how  assumptions  are  labeled.  Otherwise,  by 
exhaustiveness,  every  branch  of  the  tableau  has  some  Mq(  € X labeled  0.  So  there  will  be 
a tableau  for  each  such  A^qj.  But  these  tableaux  will  be  labeled  OPEN  (because 
->qj  4 S),  so  the  corresponding  branch  of  the  tableau  for  A=>r  will  be  CLOSED.  So  the 
whole  tableau  for  A^r  will  be  CLOSED.  Further,  no  open  tableau  will  be  labeled 
CLOSED,  because  then  there  would  be  a proof  of  its  goal  from  assumptions.  Thus,  if  the 
tableau  for  A^p  is  labeled  CLOSED,  it  can  be  proved  from  assumptions  In  As^(S),  so 
p *S.  If  it  is  OPEN,  p < S by  construction.  I 

Lemma  15.  If  there  is  an  admissible  labeling  for  the  tableau  structure  for  A^p,  there  is  a 
fixed  point  S of  NM^  such  that,  for  every  tableau  with  goal  A=>q(  the  tableau  is  labeled 
CLOSED  if  and  only  if  q c S. 
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Proof:  We  construct  S from  the  labeling.  Let  Rq  be  the  set  of  formulas  Mq  such  that  the 
tableau  for  A^-mj  is  labeled  OPEN.  Let  Sq  = Th(AuRg),  and  let  Mqj,  Mq2»  - be  an 
enumeration  of  all  the  formulas  of  the  form  Mq  in  L-Rq,  with  the  property  that  If  Mq^  Is 
a subexpression  of  Mqj,  then  I s J.  (E.g.,  MC  is  a subexpression  of  M-«MC.) 

Define  Rj+j  and  Si+j,  for  i = 0,  1,  „ as  follows: 

Ri*l  = Ri  ,f  "Vl  6 Si»  e,se  R|  s and 

= Th(  AuRj+p. 


Now  let  S = U,^  S{,  and  R = U&  R,.  Clearly,  S,  £ Si+1  and  S = Th(AuR). 
Since  NM^(S)  = Th( AuAs^(S)),  we  can  show  that  NMA(S)  s S by  showing  that 
R = AsA(S). 

First,  to  show  AsA(S)  £ R.  Let  -MJ  4 S.  We  will  show  Mq  € R.  If  Mq  « Rq,  then 
since  Rq  £ R,  Mq  € R,  Otherwise  q must  be  some  qj.  If  -m)  4 S,  then  -*q  4 Sj_|,  so 
Mq  « R|,  so  Mq  e R. 

Second,  to  show  R £ AsA(S),  that  is,  if  Mq  € R,  then  -<q  4 S.  There  are  two 
cases.  If  Mq  € Rq,  then  there  is  an  OPEN  tableau  for  A^q.  Assume  that  -M|  € S.  Then 
there  must  be  a k£l  such  that  ->q  € Sk  and  ->q  4 Sk_j.  So  Rj^F^^q  and  Rk_|PA-«q.  Rut 
then  by  exhaustiveness,  Mqk  is  labeled  0 in  the  tableau  for  A^-mj.  So  there  is  also  a 
tableau  for  Aa-qk.  If  this  tableau  is  OPEN,  then  Mqk  e Rfl.  |f  this  tableau  is  CLOSED, 
Mqk  « Sq,  and  hence  Mqk  € Sk_j.  Either  way,  Rk  = Rk_j,  which  is  impossible. 

In  the  other  case,  q will  be  some  q,,  so  Mq  € RJt  and  ->q  4 Sj_j.  Assume  that 
**q  « S,  that  is,  -MJ  is  an  element  of  some  Sk,  k*i,  and  -<q  4 Sk_j.  Then  Rk  PA  -*q  but 
Rk-1  *^A  'K*»  80  {M<Jk)°Rk-l  *"A  ^ 

Now,  Mqk  does  not  occur  as  a subexpression  of  q = q(  (since  kai),  so  Mqk  must 
occur  in  the  axioms  A.  So  in  some  branch  of  the  tableau  for  A^-^j,  Mqk  must  be  labeled 
0.  But  this  means  that  Mqk  must  be  labeled  0 In  some  branch  of  the  tableau  for  A^p,  for 
any  p.  So  any  tableau  structure  must  have  a tableau  for  A=»-*qk.  This  tableau  must  be 
OPEN,  or  -»qk  would  be  a member  of  Sq,  and  hence  a member  of  Sk_j.  So  Mqk  € Rq,  so 
Rk  - Rfc.jt  which  is  a contradiction. 

It  remains  to  show  that  the  labels  agree  with  the  fixed  point.  If  the  tableau  for 
A3-k|  is  OPEN,  then  Mq  € S by  construction.  If  it  is  CLOSED,  there  is  a proof  of  -*q 
from  Rq,  so  -mi  c Sq.  But  Sq  C S,  so  the  final  labeling  agrees  as  well.  I 
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Theorem  16.  If  A it  a statement  theory  (a  finite  extension  of  the  sentential  calculus),  then 
non -monotonic  provability  in  A is  decidable. 

Proof:  Let  <A,  p,  t,  X>  be  the  tableau  structure  for  a formula  p.  If  the  procedure  labels 
t CLOSED  in  every  admissible  labeling,  then  there  is  no  fixed  point  of  NM^  which  does 
not  contain  p,  since  there  then  would  be  an  OPEN  labeling.  So  p is  in  all  fixed  points, 
and  hence  provable.  If  the  procedure  labels  t OPEN  in  some  admissible  labeling,  there  is 
a fixed  point  of  NM^  which  does  not  contain  p,  so  p is  unprovable.  I 

The  proof  procedure  extends  a previous  procedure  due  to  Hewitt  C19721,  and 
embodied  in  Micro-PLANNER  [Sussman,  Winograd  and  Charniak  1971],  a computer 
programming  language  for  (among  other  things)  mechanical  theorem  proving.  A practical 
implementation  of  this  procedure  would  interleave  the  building  and  labeling  of  tableaux, 
and  would  avoid  building  a complete  tableau  structure  when  unnecessary.  We  invite  you 
to  compare  this  procedure  with,  for  instance,  the  tableau -structure  method  for  SS.  [Hughes 
and  Cresswell  1972]  One  difference  between  these  procedures  is  that  the  present  procedure 
splits  tableaux  into  branches  before  generating  alternatives,  while  the  SS  procedure  splits 
the  whole  set  of  alternatives  into  branches. 


The  Truth  Maintenance  System 

The  only  known  adequate  solutions  to  the  handling  of  non-monotonic  proofs  are 
Doyle’s  C1978]  TNIS  program  and  its  descendants  [London  1977,  McAllester  19781  With 
our  theoretical  results  in  hand,  we  can  present  an  approximate  description  of  what  this 
program  does.  The  TMS  has  two  basic  responsibilities: 

(a)  It  maintains  a data  base  of  proofs  of  formulas  generated  by  an  Independent 
proof  procedure  or  perceptual  program.  In  our  terms  its  goal  is  to  avoid  the  presence  of 
both  -*q  and  Mq  in  the  data  base  simultaneously. 

(b)  It  detects  inconsistencies,  and  adds  axioms  to  a theory  in  order  to  eliminate  them. 

The  TMS  keeps  track,  for  each  formula  in  the  data  base,  of  the  formula’s 
Justifications.  A Justification  of  a formula  p is  a set  {py , _ pn)  of  formulas  which  entail 
p.  Such  a Justification  may  be  viewed  as  a fragment  of  the  tableau  for  A^p;  that  is,  for 
each  branch  of  p's  tableau,  the  justification  contains  a 'formula  pi  labeled  0 in  that 
branch. 


The  basic  TMS  algorithm  searches  for  a labeling  of  formulas  involved  in 
Justifications.  It  obeys  two  principles;  p is  labeled  1 if  and  only  if  all  the  formulas  in 
some  Justification  of  p are  labeled  1,  and  Mp  is  labeled  1 if  and  only  If  ->p  is  labeled  0. 
When  the  TMS  finds  a labeling  satisfying  these  conditions,  it  arranges  the  data  base  so 
that  only  formulas  labeled  1 are  ’’visible"  to  the  higher-level  proof  procedure  or  program. 
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Thus,  from  the  point  of  view  of  a program  using  the  TMS,  it  chooses  a subset  of  formulas 
to  "believe".  These  formulas  are  said  to  be  in ; the  other  formulas  are  out. 

This  is  reminiscent  of  our  proof  procedure's  search  for  admissible  tableau 
labelings,  but  there  are  some  important  differences.  The  TMS  operates  on  partial  sets  of 
tableau  fragments,  so  its  decisions  may  require  revision  as  new  fragments  (justifications) 
are  discovered.  But  there  is  a more  striking  difference  between  our  proof  procedure  and 
the  TMS.  The  TMS  searches  for  just  one  admissible  labeling  of  its  tableau  fragments,  not 
all  such  labelings.  The  most  it  can  hope  to  find  is  one  fixed  point  (actually,  a finite 
subset  of  one),  not  all  of  them.  In  the  terminology  we  developed  earlier,  it  finds  some  of 
the  arguable  formulas  rather  the  than  provable  formulas.  For  example,  consider  its 
behavior  on  the  theory  T12  in  (27).  In  this  theory,  MC  is  arguable,  and  so  is  MD,  but 
neither  is  provable  (only  MCvMD  is  provable).  Nonetheless,  the  TMS,  given  the 
justifications  (MC)  of  ->D  and  {MD}  of  ->C,  will  pick  one  of  {MC,  MD}  to  be  in,  and  the 
other  to  be  out. 

There  are  several  justifications  for  such  jumping  to  conclusions.  One  is  that 
since  all  arguable  formulas  are  also  assumable,  these  decisions  may  at  worst  lead  to  later 
shifts  in  fixed  points.  That  is,  since  arguable  formulas  might  be  added  consistently  later 
on,  it  cannot  hurt  much  to  act  on  the  assumption  that  they  will  be  added.  A more 
pressing  rationale  for  this  behavior  is  that  the  program  or  proof  procedure  using  the  TMS 
typically  depends  on  beliefs  of  certain  types  to  decide  what  to  do,  and  cannot  abide  by 
suspended  judgement;  even  if  there  is  a choice  of  possible  circumstances,  the  program 
expects  the  TMS  to  decide  on  one  so  that  action  may  be  taken. 

Of  course,  jumping  to  conclusions  In  this  manner  introduces  the  problem  of 
having  to  choose  between  fixed  points  of  the  theory.  In  many  cases  this  problem  solves 
itself  because  of  the  way  the  TMS  is  typically  used.  Usually  a program  using  the  TMS  is 
attempting  to  discover  which  fixed  point  of  a theory  corresponds  to  the  real  world.  The 
best  way  to  do  this  is  to  pick  one  model  and  stick  with  it  until  trouble  arises,  and  then 
salvage  as  much  information  as  possible  by  making  as  few  changes  as  necessary. 
"Trouble"  can  take  the  form  of  new  information  or  new  deductions  from  old  information 
conflicting  with  old  information  or  assumptions.  Either  way,  the  response  Is  the  same;  to 
switch  to  a new  fixed  point.  Programs  frequently  try  to  organize  their  use  of  the  TMS  so 
as  to  ensure  the  case  of  a single  fixed  point  being  the  usual  case.  However,  it  is  usually 
not  possible  or  desirable  to  completely  determine  in  this  fashion  how  the  TMS  should 
decide  between  alternate  fixed  points.  One  way  even  more  information  of  this  sort  might 
be  used  would  be  to  employ  Rescher's  C 19643  suggestion  of  modal  categories  as  a method 
for  selecting  among  the  various  fixed  points  generated  by  a theory.  That  is,  suppose  the 
formulas  of  the  language  are  segmented  into  n+1  modal  categories  L = MqU-uM,,.  Then 
given  fixed  points  of  a theory  A as  Sjt  ...,  Sm,  with  corresponding  sets  of  assumptions  Aj, 
Am»  we  can  s*Sment  the  A,  into  components  Aj  g,  _,  A1>n,  Am0,  _,  Am  n in 
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concordance  with  the  modal  categories.  We  can  then  rank  the 
involving  orderings  on  the  vectors  of  assumption  components. 
TMS-llke  systems  is  an  interesting  topic  for  future  research. 


fixed  points  by  schemes 
Adding  such  devices  to 


The  two  goals  of  the  TMS,  to  prevent  both  ->p  and  Mp  being  in,  and  to  prevent 
both  p and  ->p  being  in,  give  rise  to  two  different  types  of  activity.  In  the  first  case,  when 
a new  justification  is  discovered  for  some  formula  which  then  invalidates  some  current 
assumption,  the  TMS  must  reexamine  the  current  labeling  to  find  a new  labeling 
consonant  with  the  enlarged  set  of  justifications.  This  process  is  fairly  straightforward, 
although  there  are  Important  special  cases  concerning  circular  proofs  which  require  special 
care.  This  process  thus  takes  on  the  appearance  of  a relaxation  procedure  for  finding  an 
acceptable  labeling,  and  then  determination  of  non-circular  proofs  for  all  formulas 
labeled  1. 

The  second  type  of  inconsistency  handled  by  the  TMS,  that  of  p and  -•p  being 
in,  requires  somewhat  different  treatment.  In  the  first  type  of  process  just  described,  the 
TMS  uses  justifications  in  a unidirectional  manner,  determining  labelings  of  formulas  from 
the  labelings  of  the  formulas  of  their  justifications,  and  not  vice  versa.  In  the  second  case, 
the  TMS  must  traverse  these  justifications  in  the  opposite  direction,  seeking  the 
assumptions  underlying  the  conflicting  formulas.  This  is  why  the  non -circular  proofs  are 
important  tools.  To  resolve  the  inconsistency  of  these  assumptions,  the  TMS  converts  the 
problem  to  one  of  the  first  type  by  producing  a new  justification  for  the  denial  of  one  of 
the  assumptions  in  terms  of  the  other  assumptions.  This  might  be  viewed  as  the  TMS 
sharing  the  weakness  of  our  logic;  it  cannot  rule  out  an  assumption  Mp  by  deriving  ■•Mp, 
but  must  instead  produce  a derivation  of  ••p.  This  second  process  is  called  dependency - 
directed  backtracking  [Stallman  and  Sussman  1977]. 

For  example,  the  existing  theory  may  be  { MC^E  ) in  which  both  MC  and  E 
are  believed.  Adding  the  axiom  MD^E  leads  to  an  inconsistent  theory,  as  MD  is  assumed 
(there  being  no  proof  of  -*D),  which  leads  to  proving  --E.  The  dependency-directed 
backtracking  process  would  trace  the  proofs  of  E and  ->E,  find  that  two  assumptions,  MC 
and  MD,  were  responsible.  Just  concluding  ->MCv-<MD  does  no  good,  since  this  does  not 
rule  out  any  assumptions,  so  the  TMS  adds  the  new  axiom  E^D  which  invalidates  the 
assumption  MD  and  so  restores  consistency.  There  are  many  subtleties  involved,  as 
discussed  in  [Doyle  19781 
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Of  course,  with  non-monotonic  logic  there  is  also  another  kind  of  inconsistency, 
that  due  to  there  being  no  fixed  point  at  all.  It  can  be  shown  [Charniak  et  al.  1979]  that 
the  TMS  will  always  find  a fixed  point  of  a theory  If  every  subset  of  the  theory  is 
consistent.  Unfortunately,  the  TMS  program  can  loop  forever  If  given  a theory  with  an 
inconsistent  subtheory,  as  the  check  which  could  prevent  this  failure  is  quite  expensive 
and  only  rarely  needed  in  practice,  and  thus  has  been  omitted  from  the  program. 
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As  we  mentioned,  this  description  of  the  behavior  of  the  TMS  is  only 
approximate.  The  TMS  is  incomplete  in  a certain  practically  unimportant  way;  it  will  not 
conclude  D from  the  axioms  C^D  and  -'CaD.  This  type  of  reasoning  is  the  responsibility 
of  the  program  or  proof  procedure  employing  the  TMS.  The  above  description  is  slightly 
inaccurate  in  other  ways  as  well,  in  that  the  logic  of  the  TMS  does  not  seem  to  be  precisely 
the  non-monotonic  logic  we  have  developed  here.  For  example,  the  TMS  really  deals  with 
only  four  formulas  for  each  real  formula  p;  Mp,  M->p,  Lp,  and  L->p.  It  does  not  allow 
contradictions  of  the  form  LpAM-«p,  but  does  tolerate  inconsistencies  of  the  form  LpAL->p 
if  no  assumptions  can  be  found  underlying  these  formulas.  This  suggests  a somewhat 
different  logic  than  that  previously  described,  or  at  least  a different  interpretation  of  the 
TMS  in  terms  of  non -monotonic  logic.  This  type  of  logic  is  reminiscent  of  Belnap's  [19763 
four-valued  logic  of  belief.  It  would  be  interesting  to  pursue  the  connections  between  non- 
monotonic logic,  the  TMS,  and  Belnap's  logic  of  belief  and  relevance  logics.  [Anderson 
and  Belnap  197S3  Other  ways  the  description  of  the  TMS  might  be  improved  would  be  to 
study  its  algorithmic  efficiency  to  perhaps  improve  that  efficiency,  and  to  guarantee  that 
the  TMS  will  always  find  a consistent  extension  of  a theory  when  one  exists. 


Discussion 

In  contrast  to  classical  logics,  the  non-monotonic  logics  examined  in  this  paper 
have  the  property  that  extending  a theory  does  not  always  leave  all  theorems  of  the 
original  theory  intact.  Such  logics  are  of  great  practical  interest  in  artificial  intelligence 
research,  but  have  suffered  from  foundational  weakness.  We  have  tried  to  repair  this 
weakness  by  providing  analyses  of  non-monotonic  provability  and  semantics.  Our 
definitions  lead  to  proofs  of  the  completeness  of  non-monotonic  logic  and  the  decidability 
of  the  non -monotonic  sentential  calculus. 

The  area  of  non-monotonic  logic  is  ripe  for  further  research.  Some  open 
problems  have  been  mentioned  in  the  preceding  sections.  In  the  following,  we  list  some 
further  interesting  topics. 

The  major  problem  for  non-monotonic  logic  is  deciding  provability  for  more 
general  cases  than  statement  theories.  Unlike  classical  logic,  it  appears  that  the  non- 
monotonic predicate  calculus  is  not  even  semi -decidable.  That  is,  there  seems  to  be  no 
procedure  which  will  tell  you  when  something  is  a theorem.  If  there  were,  then  we  could 
use  it  to  decide  whether  p was  a theorem  of  number  theory  by  trying  to  prove  p and  M-'p 
simultaneously,  since  one  of  these  must  be  a theorem  (as  there  is  only  one  non-monotonic 
fixed  point  of  number  theory). 

Are  there  special  cases  in  which  provability  is  decidable  or  semi-decidable?  We 
conjecture  that  many  theories  of  interest  to  artificial  intelligence  are  asymptotically 
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dtcidablt,  in  the  following  sense:  there  is  a procedure  which  is  allowed  to  change  its 
answer  an  indefinite  number  of  times  about  whether  a formula  is  provable,  but  changes 
its  answer  only  a finite  number  of  times  on  each  particular  formula.  (See  for  example  the 
problem  solving  procedures  given  in  Cde  Kleer  et  al  19173.  Note  also  that  classical  first- 
order  provability  is  asymptotically  decidable  by  a procedure  that  changes  its  answer  only 
once;  answer  "unprovable"  and  then  call  any  complete  proof  procedure,  changing  the 
answer  if  the  proof  procedure  succeeds.)  Asymptotic  decidability  is  a fairly  weak  property 
of  a predicate,  but  it  isn't  vacuous  since  there  are  predicates  (such  as  totality)  which  are 
not  decidable  even  in  this  sense.  Furthermore,  a procedure  of  this  kind  could  be  useful  in 
spite  of  the  provisional  nature  of  its  outputs,  since  a robot  always  has  to  act  on  the  basis 
of  incomplete  cogitation.  Unfortunately,  it  appears  that  even  for  some  finite  first-order 
theories,  provability  is  not  asymptotically  decidable.  We  must  look  for  useful  special  cases. 

We  have  presented  a formalization  of  non-monotonic  logic  which,  although  very 
weak,  captures  most  of  the  important  properties  desired,  especially  with  regard  to  the 
structure  of  models  of  non -monotonic  theories  and  their  behavior  upon  extension  by  new 
axioms.  The  logic  seems  to  be  adequate  for  describing  the  TMS,  an  ability  following 
naturally  from  the  structure  and  evolution  properties  Just  mentioned.  The  logic  also 
admits  a proof  of  completeness  and  a proof  procedure  for  the  case  of  statement  theories. 

Unfortunately,  the  weakness  of  the  logic  manifests  itself  in  some  disconcerting 
exceptional  cases  which,  while  essentially  irrelevant  to  the  structure  and  evolution 
properties,  indicate  that  the  logic  fails  to  capture  a coherent  notion  of  consistency.  For 
example,  the  theory 

(28)  T13  s PC  u { MC^D,  ->D  } 

is  inconsistent  in  our  logic  because  although  ->MC  follows  from  ->D  and  MC^D,  ->C  does 
not  follow,  thus  allowing  MC  to  be  assumed;  and  so  the  theory  fails  to  have  a fixed 
point.  This  can  be  remedied  by  extending  the  theory  to  include  -<C,  the  approach  taken 
by  the  TMS,  but  this  extension  seems  arbitrary  to  the  casual  observer.  As  it  happens, 
axioms  like  MC^D  are  much  less  common  in  applications  than  the  unproblematic  MC^C, 
but  it  would  be  nice  to  get  rid  of  this  problem.  Another  incoherence  of  our  logic  is  that 
consistency  is  not  distributive;  MC  does  not  follow  from  MCCaDD.  Our  logic  tolerates 
axioms  which  force  an  incoherent  notion  of  consistency,  as  in 

(29)  T14  = PC  u { MC,  ->C  }. 

A stronger  logic  might  not  allow  this  by  forcing  such  theories  to  be  inconsistent. 

We  will  remedy  this  situation  a forthcoming  paper,  wher  we  present  a 
strengthened  logic  such  that  each  fixed  point  of  a consistent  theory  in  the  logic  will  possess 
a coherent  notion  of  consistency.  This  is  achieved  by  augmenting  the  logic  to  contain 
extensions  of  S4  in  each  fixed  point.  This  fixes  the  problems  mentioned  above  on  the 
exceptional  cases,  and  preserves  the  behavior  of  the  logic  on  the  vast  majority  of  cases,  in 
that  all  of  our  results  concerning  the  structure,  interrelationships,  and  evolution  of  models 
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of  non-monotonic  theories  carry  over  to  the  new  logic  In  addition,  some  new  results 
permit  a very  elegant  description  of  the  logic  of  theory  evolution.  This  strengthlng  of  the 
theory  is  not  quite  as  drastic  as  it  may  seem,  for  parts  of  S4  are  already  present  in  the 
current  logic.  For  example,  all  instances  of  the  schema  Lp^p  (or  p^Mp)  are  provable, 
and  hence  true  in  all  models  of  any  theory  in  the  current  logic;  the  difficulty  is  that  some 
of  these  theories  are  inconsistent,  but  would  be  consistent  in  the  S4  extension.  These 
improvements  have  their  price,  however.  Since  the  new  logic  includes  extensions  of  S4, 
the  definition  of  model  must  be  revised,  and  a new  proof  of  completeness  must  be 

presented.  For  the  same  reason,  the  proof  procedure  for  statement  theories  must  be 

altered,  thus  requiring  a new  proof  of  correctness.  As  a bonus,  however,  the  stronger 
logic  has  a more  elegant  model  theory,  in  which  the  notion  of  a "stable"  model  is 

correlated  with  the  proof-theoretic  notion  of  a fixed  point  of  a theory. 

There  are  several  problems  of  a mathematical  nature  raised  by  non -monotonic 
logic.  What  are  the  details  of  the  relationship  between  non-monotonic  logic  and  the  logics 
of  incomplete  information?  What  are  the  effects  of  different  rules  of  inference  on  the 
construction  of  non -monotonic  models?  What  are  the  details  of  the  evolution  of  the 
properties  of  decision  and  provability?  Are  there  interpretations  of  non-monotonic  logic 
within  classical  logics?  Are  there  connections  between  non-monotonic  logic  and  logics  with 
statements  of  infinite  length?  Is  there  a topological  interpretation  of  non -monotonlc  logic 
in  analogy  to  the  topological  interpretation  of  the  intuitionistic  calculus? 

There  are  also  a number  of  more  speculative  and  long  range  topics  for 
investigation  raised  by  non-monotonic  logic.  The  revision  of  beliefs  performed  by 
artificial  intelligence  programs  can  be  viewed  as  a microscopic  version  of  the  process  of 
change  of  scientific  theories.  (For  a figurative  description  of  such  processes  which  is  very 
close  to  a true  description  of  non-monotonic  logic  and  the  TMS,  see  the  beginning  of 
section  6 of  Quine's  Two  Dogmas  of  Empiricism.)  Can  the  ideas  captured  in  non- 
monotonic logic  be  used  to  describe  the  general  process  of  scientific  discovery?  How  are 
the  holistic  semantics  of  non-monotonic  logic  related  to  changes  in  meanings?  (Cf. 
particularly  CDummett  19733.)  What  are  the  trade-offs  Involved  in  Jumping  to 
conclusions?  How  costly  is  the  suspension  of  judgement?  Can  non-monotonlc  logic  be 
used  to  effectively  describe  and  reason  about  actions,  commands,  counterfactuals,  causality 
and  explanation? 
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